The CyberWire Daily Podcast 9.4.18
Ep 676 | 9.4.18

Tracking Stone Panda to the Tianjin Bureau. Ad-fraud and Tokelau. RansomWarrior decrypted. US Congress to grill Facebook, Google, and Twitter. Celebrity scams.


Dave Bittner: [00:00:00] Before we start today's show, a quick word about our interviews - every day, we get interesting interview pitches from around the world. And as we look for relevant cybersecurity content to share, we want you to know that we're always on the lookout for new and interesting people to talk to. The interviews in our daily podcast are not paid placements, just conversations we think our audience will find valuable. If you think you've got something to say, visit our website and let us know.

Dave Bittner: [00:00:30] Intrusion Truth seems to have Stone Panda dead to rights. Chinese intelligence increases targeting of expatriate Uighurs. Zscaler warns that an ad-fraud campaign is making use of the Tokelau top-level domain. Check Point has a decryptor for RansomWarrior. The U.S. House and Senate will hear from Facebook, Twitter and Google this week about influence operations, content moderation and alleged monopolistic practices. And no, believe it or not, Pope Francis isn't giving away bitcoin, nor did former President Obama encrypt your files.

Dave Bittner: [00:01:10] And now a word from our sponsor, the upcoming Cybersecurity Conference for Executives - the Johns Hopkins University Information Security Institute and Navigant will host the event on Tuesday, October 2, in Baltimore, Md., on the Johns Hopkins Homewood campus. The theme this year is cybersecurity compliance and regulatory trends, and the conference will feature discussions with thought leaders across a variety of sectors. You can find out more and register at, and click on the fifth annual Cybersecurity Conference for Executives. Learn about emerging regulations and how the current cybersecurity landscape is changing as companies must adhere to these regulations and take actionable steps to become compliant. Check out all the details at, and click on the fifth annual Cybersecurity Conference for Executives. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:02:13] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 4, 2018. CrowdStrike has confirmed certain claims by Intrusion Truth that APT10, also known as Stone Panda, is connected to the Tianjin bureau of China's Ministry of State Security and has also confirmed the identities of two people whom Intrusion Truth has been tracking. CrowdStrike specifically confirmed that one of the two was the owner of a blog account whose handle was fisherxp and that he was associated with a 2010 phishing campaign by Stone Panda. The two had followed one another on Twitter. And the second individual was also connected with a GitHub account holding versions of Stone Panda's remote-access Trojans Quasar and Trochilus.

Dave Bittner: [00:03:02] Intrusion Truth, described in the trade press as shadowy, effectively represents itself as a hacktivist group dedicated to exposing Chinese intelligence, or in their self-description, quote, "we hunt APTs," which is about all they have to say about themselves. Intrusion Truth, whoever they may be, blog on a WordPress site. Their posts are literate, which isn't always the case in this space, and they pursue Chinese intelligence officers with dogged intensity, down to tracking their working hours and their Uber rides. What's Chinese intelligence up to these days? Apart from the customary interest in industrial espionage, there's a good bit of current and nasty attention being paid to the Uighur diaspora, with threats made against relatives still in China of Muslim Uighurs living abroad.

Dave Bittner: [00:03:54] Zscaler researchers are tracking a spam campaign that directs users to the .tk sites, the national top-level domain for Tokelau, in the service of, for the most part, an ad-fraud campaign. Zscaler estimates the ad fraud brings in more than $20,000 a month, and other associated scams pull in additional revenue. Tokelau, which allows anyone to register a domain, has a population shy of 1,500 but the world's largest presence on the internet. Small nations once made money by printing stamps for the collectors' market; now they sell domains or even give them away as loss leaders.

Dave Bittner: [00:04:34] Check Point researchers have found and made available a decryptor for RansomWarrior ransomware. Bravo, Check Point. They say it wasn't particularly well-done ransomware and that breaking it was not too tough, but bravo nonetheless.

Dave Bittner: [00:04:50] On Wednesday, the U.S. Congress will hold hearings on the tech industry. They're interested in political influence, privacy and monopolistic practices. The Senate Intelligence Committee will interrogate Facebook, Twitter and Google. The House commerce committee will confine itself to Twitter. Big tech, as represented by these three companies, are feeling a lot of pressure from authorities on both sides of the Atlantic. The British home secretary in particular is on a warpath to force the platforms into more extensive content moderation.

Dave Bittner: [00:05:23] And finally, two implausible scams are circulating. One, a celebrity advance fee come-on, tells the gullible that Pope Francis wants to give away a small fortune in bitcoin. As usual - and you'll remember this from all of the crypto dough Elon Musk was widely believed to be spreading around via Twitter - all you need to do is pay a comparatively modest advance fee. Sounds good, right? The come-on is like this - I have prepared something for you all to cheer you up a bit, says a cheerful pontiff as he introduces the Pope Francis official BTC giveaway - seems legit. I mean, he is always smiling and seems to want people to be cheerful.

Dave Bittner: [00:06:05] The other caper is an unusual takeoff on the ransomware-scareware hybrid. Usually, you'll see a reproduction of, say, the FBI seal with a warning that you've been caught in secret malfeasance and that you can clear the books, avoid embarrassment and recover your files if you deposit some amount as directed. In this recent case, it's not the seal or logo of some well-known law enforcement agency, but rather, the crude ransomware displays the face of former President Obama. He looks pensive in a sport coat and an open-collared shirt, an index finger poised thoughtfully on his pursed lips. The message doesn't sound quite like Mr. Obama, however. It goes like this - hello; your computer is encrypted by me. Yeah, that means your .exe file isn't open because I encrypted it. So you can decrypt it, but you have to tip it. This is a big thing. You can email this email - and they helpfully provide the email here - and get some more information. So you can recover your files if you tip the former POTUS. At least, that's how we read it.

Dave Bittner: [00:07:11] The file properties on this little number, as reported by MalwareHunterTeam, indicates that the malware is called Barack Obama's Everlasting Blue Blackmail Virus Ransomware, which is a mouthful and a lot more gasconade than one normally finds in the name of malicious code. Maybe it's an indication of lack of confidence. We hear that bragging often is. Some observers note that it's unusual for ransomware to encrypt file systems, and that may well risk making the infected device unrecoverable and thus remove any incentive the victim might have had to pay. They read this as either a misstep or incompetence on the hoods' part. If we had to bet, we'd say incompetence. Criminal geniuses are a whole lot rarer than criminal boneheads.

Dave Bittner: [00:07:58] It should be, but isn't, needless to say, that neither the current pope nor the former president are involved in any of this. Love of money, we've heard, is the root of evil. And in this case, it seems the love of altcoin is the root of a great deal of really dumb evil. So buyer beware; don't bite.

Dave Bittner: [00:08:22] Now I'd like to share some words about our sponsor FireEye. They're hosting their annual Cyber Defense Summit in Washington, D.C., from October 1 through October 4. The first two days are devoted to introductory, intermediate and advanced training. It's hands-on, small group and interactive, and it's going to be conducted by some of the best in the business - FireEye's experienced cybersecurity experts. Check out the list of courses at But, of course, there's more, and you won't want to miss that either. The 64th U.S. secretary of state, Madeleine K. Albright, will be there to deliver the guest keynote. Her topic - economy and security in the 21st century. And former Home Depot CEO Frank Blake will share what he learned from his company's 2014 data breach. Don't miss it. To learn more and to register, go to That's And we thank FireEye for sponsoring our show.

Dave Bittner: [00:09:30] And I'm pleased to be joined once again by Emily Wilson. She's the director of analysis at Terbium Labs. Emily, welcome back. You know, it's been about a year now since the AlphaBay takedown. Let's take a look back. How effective was that? How have things changed on the dark web since they went away?

Emily Wilson: [00:09:49] It has, in fact, been a very long year since AlphaBay went down. So the takedowns, just for listeners who aren't as intimately involved in the schedule there as some of us who look at this every day, AlphaBay was the sort of Amazon of the dark web, right? You've heard about this. It went dark on July Fourth, 2017, which was a very disruptive holiday for me; I'll tell you that much.

Dave Bittner: [00:10:13] (Laughter).

Emily Wilson: [00:10:14] And, you know, people were a little confused about what was happening. They weren't sure if AlphaBay had exit scammed, had sort of run off with all of the money held in escrow, if there were technical difficulties. And then a few weeks later, on July 20, the attorney general came out and said that AlphaBay had been taken down, had been seized as part of an international law enforcement effort and that, in fact, the kind of secondary market, the heir to AlphaBay's throne that everyone had flocked to, had been under control of Dutch police for more than a month.

Emily Wilson: [00:10:44] So there was chaos. There was chaos and instability. And over the course of the last year, as listeners will have heard, there have been a series of upheavals, right? Bitcoin ricocheted from, you know, $1,200, I think, the beginning of last year, to, you know, hitting $20,000, which is obviously a big deal on the dark web. People are holding a lot of bitcoin. And a lot of people were finding ways to use their bitcoins. So that's disruptive. There were takedowns and infighting. There was a big fraud ring that was issued. There was an indictment that came out from the Department of Justice earlier this year. The Reddit communities, which is where a lot of information was being traded, were shut down. And so what happened? What does it look like? It looks both completely different and exactly the same.

Emily Wilson: [00:11:32] And this is what I mean by that. The dark web is an incredibly adaptive community. And to be clear here, I'm talking about the criminal communities on the dark web, which is just a portion of what happens there. These communities are adaptive. They are designed that way. And so some communities were more disrupted than others. The drug communities were disrupted, and they had to find new homes. The fraud communities were largely doing fine. They have, you know, operations that really run in parallel to these large markets. But other markets are continuing to thrive. We've had markets go down. We've had markets come back up. The takedowns were effective in that it took down the largest market the dark web has ever seen and potentially dismantled a big criminal network. But they were only as effective as taking down a mob boss in a major city. You haven't finished organized crime. You've just, you know, dealt a pretty significant blow.

Dave Bittner: [00:12:26] Was this just a speed bump, or has there been meaningful long-term friction applied to the system in a way that would decrease the amount of commerce going on?

Emily Wilson: [00:12:37] I think it's fair to say more the latter. There is no denying that this was a milestone for the dark web in the same way that the takedown of Silk Road was, right? This was a very well-run operation, and an operation run at a scale, again, that we haven't seen. And we haven't seen anyone else rise to that occasion. This was a very large market conducting a huge volume of transactions all around the world. And taking that down, and honestly, the willingness of the Dutch police to very effectively - I hear customer service actually improved - very effectively run a dark web market for a month has now made everyone even more paranoid than they were already. Now every time there's a glitch, now every time something goes wrong or a market goes down for a little while - all of which happens regularly on the dark web, anyway - people are having to ask themselves, is this law enforcement? Is it worth it? What am I doing? How do I keep this up and running?

Emily Wilson: [00:13:33] And so some people have been scared off. Some people are operating more cautiously, and some people are figuring out where to go next and how to keep doing this because there will always be people who are going to find a way to do this, and they're just trying to adapt faster than law enforcement can.

Dave Bittner: [00:13:50] Emily Wilson, thanks for joining us.

Dave Bittner: [00:13:55] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at the

Dave Bittner: [00:14:03] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:14:30] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week, we talk to interesting people about timely cybersecurity topics. That's at

Dave Bittner: [00:14:58] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.